diff --git a/CHANGELOG.md b/CHANGELOG.md index 02982633..3fd0f7d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ The **patch** part changes incrementally at each release. ### Added * evocheck: explicit PATH * evolinux-base: On debian 10 and later, add noexec on /dev/shm +* evolinux-base: default value for "evolinux_ssh_group" * generate-ldif: support MariaDB 10.3 * listupgrade: install old-kernel-autoremoval script * mysql: activate binary logs by specifying log_bin path @@ -25,12 +26,14 @@ The **patch** part changes incrementally at each release. ### Changed * elasticsearch: listen on local interface only by default -* evocheck: upstream version 19.09 +* evocheck : update (version 19.09) from upstream * evocheck: cron jobs execute in verbose -* evomaintenance: upstream version 0.5.1 +* evolinux-base: use "evolinux_internal_group" for SSH authentication * evomaintenance: Turn on API by default (instead of DB) +* evomaintenance: upstream version 0.5.1 * php: By default, allow 128M for OpCache (instead of 64M) * squid: Remove wait time when we turn off squid +* squid: split systemd tasks into own file ### Fixed * lxc-php: Don't remove the default pool diff --git a/apt/templates/evolix_public.list.j2 b/apt/templates/evolix_public.list.j2 index 06de99c0..d5318e29 100644 --- a/apt/templates/evolix_public.list.j2 +++ b/apt/templates/evolix_public.list.j2 @@ -1,3 +1,4 @@ # {{ ansible_managed }} -deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +# deb http://pub.evolix.net/ {{ ansible_distribution_release }}/ +deb http://pub.evolix.net/ stretch/ diff --git a/evolinux-base/defaults/main.yml b/evolinux-base/defaults/main.yml index 134e99f5..52452841 100644 --- a/evolinux-base/defaults/main.yml +++ b/evolinux-base/defaults/main.yml @@ -79,6 +79,7 @@ evolinux_packages_diagnostic: True evolinux_packages_hardware: True evolinux_packages_common: True evolinux_packages_stretch: True +evolinux_packages_buster: True evolinux_packages_serveur_base: True evolinux_packages_purge_openntpd: True evolinux_packages_purge_locate: True @@ -124,6 +125,7 @@ evolinux_ssh_password_auth_addresses: "{{ evolinux_default_ssh_password_auth_add evolinux_ssh_match_address: True evolinux_ssh_disable_acceptenv: True evolinux_ssh_allow_current_user: False +evolinux_ssh_group: "evolinux-ssh" ### disabled because of a memory leak # # evolinux users diff --git a/evolinux-base/tasks/packages.yml b/evolinux-base/tasks/packages.yml index c510bab5..89586a72 100644 --- a/evolinux-base/tasks/packages.yml +++ b/evolinux-base/tasks/packages.yml @@ -95,6 +95,16 @@ - evolinux_packages_stretch - ansible_distribution_major_version | version_compare('9', '>=') +- name: Install/Update packages for Buster and later + apt: + name: "{{ item }}" + with_items: + - spectre-meltdown-checker + - binutils + when: + - evolinux_packages_buster + - ansible_distribution_major_version | version_compare('10', '>=') + - name: Customize logcheck recipient lineinfile: dest: /etc/logcheck/logcheck.conf diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml index c6b87cae..187a26df 100644 --- a/evolinux-base/tasks/ssh.yml +++ b/evolinux-base/tasks/ssh.yml @@ -11,7 +11,7 @@ # only the first instance of the keyword is applied. ยป # # We want to allow any user from a list of IP addresses to login with password, -# but users of the "evolix" group can't login with password from other IP addresses +# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses - name: "Security directives for Evolinux (Debian 10 or later)" blockinfile: @@ -20,7 +20,7 @@ block: | Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }} PasswordAuthentication yes - Match Group evolix + Match Group {{ evolinux_internal_group }} PasswordAuthentication no insertafter: EOF validate: '/usr/sbin/sshd -t -f %s' diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index 632f3e8a..17943994 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -10,7 +10,7 @@ is_alert5_enabled() { if test -f /etc/init.d/alert5; then test -f /etc/rc2.d/S*alert5 else - systemctl is-active alert5 | grep -q "^active$" + systemctl is-enabled alert5 -q fi } diff --git a/mysql/tasks/utils.yml b/mysql/tasks/utils.yml index 6f9fa53b..1f59f3f1 100644 --- a/mysql/tasks/utils.yml +++ b/mysql/tasks/utils.yml @@ -24,14 +24,23 @@ - mysql when: ansible_distribution_release == "jessie" -- name: "Install depends for mytop (Debian 9 or later)" +- name: "Install depends for mytop (stretch)" apt: name: "{{ item }}" with_items: - mariadb-client-10.1 - libconfig-inifiles-perl - libterm-readkey-perl - when: ansible_distribution_major_version | version_compare('9', '>=') + when: ansible_distribution_release == "stretch" + +- name: "Install depends for mytop (Debian 10 or later)" + apt: + name: "{{ item }}" + with_items: + - mariadb-client-10.3 + - libconfig-inifiles-perl + - libterm-readkey-perl + when: ansible_distribution_major_version | version_compare('10', '>=') - name: Read debian-sys-maint password shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3' diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml index 31570944..750875bb 100644 --- a/packweb-apache/tasks/apache.yml +++ b/packweb-apache/tasks/apache.yml @@ -21,19 +21,19 @@ name: '{{ item }}' state: present with_items: - - libapache2-mod-security2 - - modsecurity-crs - - apg + - libapache2-mod-security2 + - modsecurity-crs + - apg - name: Additional modules are enabled apache2_module: name: '{{ item }}' state: present with_items: - - ssl - - include - - negotiation - - alias + - ssl + - include + - negotiation + - alias - name: Copy Apache settings for modules copy: @@ -58,6 +58,5 @@ register: command_result changed_when: "'Enabling' in command_result.stderr" with_items: - - evolinux-evasive - - evolinux-modsec - + - evolinux-evasive + - evolinux-modsec diff --git a/packweb-apache/tasks/fhs_retrictions.yml b/packweb-apache/tasks/fhs_retrictions.yml index 2308db2a..1d370038 100644 --- a/packweb-apache/tasks/fhs_retrictions.yml +++ b/packweb-apache/tasks/fhs_retrictions.yml @@ -6,23 +6,23 @@ changed_when: "'changed' in command_result.stdout" failed_when: False with_items: - - / - - /etc - - /usr - - /usr/bin - - /var - - /var/log - - /home - - /bin - - /sbin - - /lib - - /usr/lib - - /usr/include - - /usr/bin - - /usr/sbin - - /usr/share - - /usr/share/doc - - /etc/default + - / + - /etc + - /usr + - /usr/bin + - /var + - /var/log + - /home + - /bin + - /sbin + - /lib + - /usr/lib + - /usr/include + - /usr/bin + - /usr/sbin + - /usr/share + - /usr/share/doc + - /etc/default - name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...) shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}" @@ -30,20 +30,21 @@ changed_when: "'changed' in command_result.stdout" failed_when: False with_items: - - /var/log/apt - - /var/lib/dpkg - - /var/log/munin - - /var/backups - - /etc/init.d - - /etc/apache2 - - /etc/network - - /etc/phpmyadmin - - /var/log/installer + - /var/log/apt + - /var/lib/dpkg + - /var/log/munin + - /var/backups + - /etc/init.d + - /etc/apache2 + - /etc/network + - /etc/phpmyadmin + - /var/log/installer - name: Change group to www-data for /etc/phpmyadmin/ file: dest: /etc/phpmyadmin/ group: www-data + state: directory - name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" @@ -51,11 +52,11 @@ changed_when: "'changed' in command_result.stdout" failed_when: False with_items: - - /bin/ping - - /bin/ping6 - - /usr/bin/fping - - /usr/bin/fping6 - - /usr/bin/mtr + - /bin/ping + - /bin/ping6 + - /usr/bin/fping + - /usr/bin/fping6 + - /usr/bin/mtr - name: Set 640 permission on some files (/var/log/evolix.log, ...) shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}" @@ -63,6 +64,5 @@ changed_when: "'changed' in command_result.stdout" failed_when: False with_items: - - /var/log/evolix.log - - /etc/warnquota.conf - + - /var/log/evolix.log + - /etc/warnquota.conf diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml index eac50843..dfc5e1a9 100644 --- a/packweb-apache/tasks/phpmyadmin.yml +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -1,12 +1,23 @@ --- -- name: Install phpmyadmin +- name: Install apg apt: - name: '{{ item }}' - state: present - with_items: - - phpmyadmin - - apg + name: apg + +- name: Install phpmyadmin (Debian <=9) + apt: + name: phpmyadmin + when: ansible_distribution_major_version | version_compare('9', '<=') + +- include_role: + name: remount-usr + +# /!\ Warning: this is a temporary hack as phpmyadmin for Buster is not yet +# available +- name: Install phpmyadmin using sid package (Debian >=10) + apt: + deb: http://mirror.evolix.org/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-5_all.deb + when: ansible_distribution_major_version | version_compare('10', '>=') - name: Check if phpmyadmin default configuration is present stat: diff --git a/php/tasks/main.yml b/php/tasks/main.yml index 38ece76b..83321bff 100644 --- a/php/tasks/main.yml +++ b/php/tasks/main.yml @@ -9,4 +9,7 @@ when: ansible_distribution_release == "jessie" - include: main_stretch.yml + when: ansible_distribution_release == "stretch" + +- include: main_buster.yml when: ansible_distribution_major_version | version_compare('9', '>=') diff --git a/php/tasks/main_buster.yml b/php/tasks/main_buster.yml new file mode 100644 index 00000000..8556a503 --- /dev/null +++ b/php/tasks/main_buster.yml @@ -0,0 +1,95 @@ +--- + +- name: "Set variables (Debian 10 or later)" + set_fact: + php_cli_defaults_ini_file: /etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini + php_cli_custom_ini_file: /etc/php/7.3/cli/conf.d/zzz-evolinux-custom.ini + php_apache_defaults_ini_file: /etc/php/7.3/apache2/conf.d/z-evolinux-defaults.ini + php_apache_custom_ini_file: /etc/php/7.3/apache2/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_ini_file: /etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini + php_fpm_custom_ini_file: /etc/php/7.3/fpm/conf.d/zzz-evolinux-custom.ini + php_fpm_defaults_conf_file: /etc/php/7.3/fpm/pool.d/z-evolinux-defaults.conf + php_fpm_custom_conf_file: /etc/php/7.3/fpm/pool.d/zzz-evolinux-custom.conf + php_fpm_service_name: php7.3-fpm + +# Packages + +- name: "Set package list (Debian 9 or later)" + set_fact: + php_stretch_packages: + - php-cli + - php-gd + - php-intl + - php-imap + - php-ldap + - php-mysql + # php-mcrypt is no longer packaged for PHP 7.2 + - php-pgsql + - php-gettext + - php-curl + - php-ssh2 + - php-zip + - composer + - libphp-phpmailer + +- include: sury_pre.yml + when: php_sury_enable + +- name: "Install PHP packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: "{{ php_stretch_packages }}" + +- name: "Install mod_php packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php + - php + when: php_apache_enable + +- name: "Install PHP FPM packages (Debian 9 or later)" + apt: + name: '{{ item }}' + state: present + with_items: + - php-fpm + - php + when: php_fpm_enable + +# Configuration + +- name: Enforce permissions on PHP directory + file: + dest: "{{ item }}" + mode: "0755" + with_items: + - /etc/php + - /etc/php/7.3 + +- include: config_cli.yml +- name: Enforce permissions on PHP cli directory + file: + dest: /etc/php/7.3/cli + mode: "0755" + +- include: config_fpm.yml + when: php_fpm_enable +- name: Enforce permissions on PHP fpm directory + file: + dest: /etc/php/7.3/fpm + mode: "0755" + when: php_fpm_enable + +- include: config_apache.yml + when: php_apache_enable +- name: Enforce permissions on PHP apache2 directory + file: + dest: /etc/php/7.3/apache2 + mode: "0755" + when: php_apache_enable + +- include: sury_post.yml + when: php_sury_enable diff --git a/spamassasin/tasks/main.yml b/spamassasin/tasks/main.yml index 3d2efe0f..3353e882 100644 --- a/spamassasin/tasks/main.yml +++ b/spamassasin/tasks/main.yml @@ -4,10 +4,10 @@ name: "{{ item }}" state: present with_items: - - spamassassin - - evomaintenance + - spamassassin + - evomaintenance tags: - - spamassassin + - spamassassin - name: configure SpamAssasin copy: @@ -16,7 +16,7 @@ mode: "0644" notify: restart spamassassin tags: - - spamassassin + - spamassassin - name: enable SpamAssasin replace: @@ -25,7 +25,7 @@ replace: 'ENABLED=1' notify: restart spamassassin tags: - - spamassassin + - spamassassin - name: add amavis user to debian-spamd group user: @@ -33,7 +33,7 @@ groups: debian-spamd append: yes tags: - - spamassassin + - spamassassin - name: fix right on /var/lib/spamassassin file: @@ -41,12 +41,12 @@ state: directory mode: "0750" tags: - - spamassassin + - spamassassin - include_role: name: remount-usr tags: - - spamassassin + - spamassassin - name: copy sa-update.sh script copy: @@ -54,7 +54,7 @@ dest: /usr/share/scripts/sa-update.sh mode: "0750" tags: - - spamassassin + - spamassassin - name: enable sa-update.sh cron lineinfile: @@ -64,13 +64,13 @@ state: present mode: "0640" tags: - - spamassassin + - spamassassin - name: update SpamAssasin's rules command: "/usr/share/scripts/sa-update.sh" changed_when: false tags: - - spamassassin + - spamassassin - name: ensure SpamAssasin is started and enabled systemd: @@ -78,4 +78,4 @@ state: started enabled: True tags: - - spamassassin + - spamassassin diff --git a/squid/files/squid.service b/squid/files/squid.service new file mode 100644 index 00000000..67240beb --- /dev/null +++ b/squid/files/squid.service @@ -0,0 +1,22 @@ +## Copyright (C) 1996-2019 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +[Unit] +Description=Squid Web Proxy Server +Documentation=man:squid(8) +After=network.target network-online.target nss-lookup.target + +[Service] +Type=forking +PIDFile=/var/run/squid.pid +ExecStartPre=/usr/sbin/squid --foreground -z +ExecStart=/usr/sbin/squid -sYC -f /etc/squid/evolinux-defaults.conf +ExecReload=/bin/kill -HUP $MAINPID +KillMode=mixed + +[Install] +WantedBy=multi-user.target diff --git a/squid/tasks/main.yml b/squid/tasks/main.yml index 17429954..31f03229 100644 --- a/squid/tasks/main.yml +++ b/squid/tasks/main.yml @@ -134,6 +134,9 @@ notify: "reload squid" when: ansible_distribution_major_version | version_compare('9', '>=') +- include: systemd.yml + when: ansible_distribution_major_version | version_compare('10', '>=') + - include: logrotate_jessie.yml when: ansible_distribution_release == "jessie" diff --git a/squid/tasks/systemd.yml b/squid/tasks/systemd.yml new file mode 100644 index 00000000..d4862477 --- /dev/null +++ b/squid/tasks/systemd.yml @@ -0,0 +1,14 @@ +--- + +- name: "Set custom systemd unit service (Debian 10 or later)" + copy: + src: squid.service + dest: /etc/systemd/system/squid.service + when: ansible_distribution_major_version | version_compare('10', '>=') + +- name: "Reload systemd and restart squid (Debian 10 or later)" + systemd: + name: squid + state: restarted + daemon_reload: yes + when: ansible_distribution_major_version | version_compare('10', '>=') diff --git a/webapps/evoadmin-web/tasks/packages.yml b/webapps/evoadmin-web/tasks/packages.yml index 2b0d013f..589462aa 100644 --- a/webapps/evoadmin-web/tasks/packages.yml +++ b/webapps/evoadmin-web/tasks/packages.yml @@ -4,15 +4,37 @@ name: apt tasks_from: evolix_public.yml -- name: Install PHP packages +- name: Install PHP packages (Debian 10 and later) + apt: + name: '{{ item }}' + state: present + with_items: + - php-pear + when: ansible_distribution_major_version | version_compare('10', '>=') + +# /!\ Warning, this is a temporary hack +- include_role: + name: remount-usr + +# /!\ Warning, this is a temporary hack +- name: Install PHP packages from sid (Debian 10 and later) + apt: + deb: '{{ item }}' + state: present + with_items: + - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb' + when: ansible_distribution_major_version | version_compare('10', '>=') + +- name: Install PHP packages (stretch) apt: name: '{{ item }}' state: present with_items: - php-pear - php-log + when: ansible_distribution_release == "stretch" -- name: Install PHP5 packages +- name: Install PHP5 packages (jessie) apt: name: '{{ item }}' state: present